MacSync Stealer Escalates macOS Risk Through Trusted App Abuse
Jamf Threat Labs has identified a significant evolution in the MacSync Stealer malware that materially increases risk for macOS users by abusing Apple’s built-in trust mechanisms. In this campaign, the malware is delivered as a fully code-signed and notarized Swift application, allowing it to pass Gatekeeper checks and appear indistinguishable from legitimate software during installation. The malicious app is distributed inside a disk image hosted on a professional-looking website and packaged with benign documents to inflate its size and reinforce legitimacy. This approach removes the need for terminal interaction or overt user manipulation, making the infection process quieter and easier to miss. At the time of discovery, antivirus detection was low, demonstrating the effectiveness of notarization in delaying visibility and response. Only after disclosure did Apple revoke the developer certificate associated with the malware. Once installed, the application functions as a stealthy dropper that retrieves and executes the MacSync Stealer payload in a controlled, staged manner. It performs internet connectivity checks, enforces execution delays, removes quarantine attributes, and deletes temporary artifacts to reduce forensic evidence and avoid sandbox analysis. The malware blends malicious actions with legitimate system validation steps, including running Apple security checks on downloaded components to further mask its behavior. After execution, it proceeds to steal credentials and data, consistent with prior MacSync activity, targeting sensitive user and system information. This campaign reflects a broader shift in macOS threats toward trusted, signed applications as malware carriers, eroding long-held assumptions about platform safety. Organizations should not rely on code signing or notarization as proof of legitimacy, should enable advanced macOS threat prevention controls in blocking mode, closely monitor application behavior post-installation, and reinforce user guidance around downloading and installing software even when it appears trusted.
Misconfigured AI Agents Create Hidden Risk Inside ServiceNow Environments
AppOmni has identified a high-impact security risk within ServiceNow’s Now Assist AI platform that allows malicious actors to abuse default configuration settings to perform second-order prompt injection attacks. This issue does not stem from a software flaw, but from expected system behavior when agent discovery and agent-to-agent collaboration are enabled by default. Under these conditions, a seemingly harmless AI agent can be manipulated through embedded prompts in data fields to quietly enlist more powerful agents to perform unauthorized actions. These actions may include copying sensitive records, modifying data, sending external emails, or escalating user privileges. Because Now Assist agents execute tasks using the permissions of the user who initiated the interaction, low-privilege input can indirectly trigger high-privilege outcomes. Most concerning, these activities occur behind the scenes with no obvious indication to administrators or security teams. The risk is amplified by how Now Assist is commonly deployed, with agents automatically grouped into shared teams and marked as discoverable, allowing unrestricted collaboration unless explicitly constrained. Even with built-in prompt-injection protections enabled, attackers can redirect agent behavior by exploiting cross-agent task delegation and autonomous execution. ServiceNow has confirmed the platform is functioning as designed and has updated documentation to better communicate the risks, reinforcing that configuration hygiene is now a critical security control for enterprise AI. Organizations should reduce exposure by enforcing supervised execution for privileged agents, disabling autonomous override settings, segmenting agents by narrowly defined duties, and continuously monitoring agent behavior for deviations from intended tasks. Security leaders should treat AI agent configuration with the same rigor as identity and access management, recognizing that misconfiguration can lead directly to data exposure or privilege abuse. For additional insights on the latest LLM attack methods, including prompt injection, readers are encouraged to visit our blog page for ongoing analysis and updates on this evolving threat landscape.
Long-Running Phantom Shuttle Chrome Extension Campaign Exposes Silent Credential Theft Risk
The Socket Threat Research Team has uncovered a highly persistent credential-harvesting campaign operating through malicious Chrome extensions under the name Phantom Shuttle, which has been active since at least 2017. Marketed as professional network speed testing and VPN tools, the extensions targeted Chinese-speaking developers and foreign trade professionals and amassed more than 2,180 users through paid subscriptions. Behind the commercial façade, the extensions silently positioned themselves as man-in-the-middle proxies, intercepting user traffic and harvesting credentials without any visible warning. Hardcoded proxy credentials were automatically injected into every HTTP authentication request, allowing traffic to flow through attacker-controlled infrastructure without user awareness. Once users paid for VIP access, traffic from more than 170 high-value domains was selectively routed through malicious proxies, including cloud platforms, developer tools, corporate services, social media, and adult websites. This design gave the attacker continuous visibility into sensitive activity while maintaining the illusion of a legitimate, functional service. The extensions combined real-time traffic interception with persistent credential exfiltration, sending plaintext email addresses and passwords to command-and-control infrastructure every five minutes under the guise of subscription validation. The backend infrastructure has remained active for over eight years, hosted on Alibaba Cloud and protected by Cloudflare, with fully functional payment processing and configuration APIs that reflect a mature criminal operation rather than a short-term campaign. The focus on developer and cloud platforms significantly elevates enterprise risk, enabling follow-on attacks that could impact source code repositories, cloud environments, and software supply chains. Organizations should immediately audit and restrict browser extensions through allowlisting, block extensions that request proxy or authentication-interception permissions together, and monitor for unexpected proxy behavior. Individual users should regularly review installed extensions, avoid paid VPN tools with excessive permissions, and ensure personal credentials are never reused for corporate access.
Legitimate Monitoring Tool Abused as a Stealth Remote Access Backdoor
The Ontinue Cyber Defense Center has uncovered an active attack campaign in which threat actors are abusing Nezha, a legitimate open-source server monitoring tool, as a post-exploitation remote access capability. Nezha was originally built for system administrators to monitor servers and perform maintenance, but when deployed by an attacker, it provides full SYSTEM access on Windows and root-level control on Linux without exploiting any vulnerability. Because the software itself is legitimate and widely used, security tools do not flag it as malicious, with VirusTotal reporting zero detections across dozens of vendors. Attackers silently install the Nezha agent with a single command and configure it to communicate with the infrastructure they control rather than an authorized monitoring server. Once deployed, the tool allows interactive command execution, file browsing and transfer, and full remote terminal access that blends into normal administrative activity. Earlier research from Huntress confirms that this behavior has been observed across multiple organizations, indicating a broader, ongoing trend rather than an isolated incident. What makes this activity especially dangerous is that Nezha operates exactly as designed, meaning attackers gain powerful control without dropping traditional malware or triggering alerts. The agent maintains persistent connections to its control server and runs with elevated privileges by default, giving attackers immediate access to sensitive systems and data once initial access is achieved. Because network traffic resembles routine monitoring activity and the binary is unmodified, detection often only occurs after attackers begin executing commands. This campaign reinforces a growing shift toward abusing trusted administrative tools to evade defenses rather than relying on custom malware. Organizations should proactively hunt for unauthorized remote management tools, establish clear baselines for approved software, and monitor for unusual post-compromise behavior rather than relying on known-bad signatures. Security teams should also ensure endpoint protections cannot be tampered with, enforce strong attack surface reduction policies, and treat the presence of unapproved monitoring agents as a high-risk indicator requiring immediate investigation.
